The latest privacy gaffe by the social network was revealed Friday, when Facebook warned that for a 12-day period in September, up to 6.8 million users' private photos may have been revealed to 1,500 apps built by 876 developers.

"Our internal team discovered a photo API bug that may have affected people who used Facebook Login and granted permission to third-party apps to access their photos," writes Tomer Bar, engineering director at Facebook, in a blog post. "We have fixed the issue but, because of this bug, some third-party apps may have had access to a broader set of photos than usual for 12 days between Sept. 13 to Sept. 25, 2018."

Facebook's single sign-on system, called Facebook Social Login or Facebook Login, allows users to access compatible third-party website services or mobile apps without having to log in again.

"The Irish DPC has received a number of breach notifications from Facebook since the introduction of the GDPR on May 25, 2018," a spokesman for the DPC tells Information Security Media Group, leading to it launching a full investigation last week.

"We have ... commenced a statutory inquiry examining Facebook's compliance with the relevant provisions of the GDPR," he says.

Ireland's DPC takes the lead on all investigations under GDPR that involve Facebook. That's because Facebook has its EU "main establishment" in Dublin, and so it qualifies for a one-stop-shop mechanism under GDPR that ensures that only the privacy watchdog in the country in which it is headquartered conducts any privacy investigations.

Some other technology giants, including Microsoft, Twitter, and soon, Google, also have their EU main establishments in Ireland.

Facebook didn't immediately respond to a request for comment on the DPC's probe.

Facebook says the latest flaw was inadvertent, and it hasn't said there are any signs that it was actively exploited. "The only apps affected by this bug were ones that Facebook approved to access the photos API and that individuals had authorized to access their photos," Bar writes.

Even so, the problem has yet to be resolved, although Facebook says it will put tools designed to spot the image exposure in developers' hands this week. "We will be rolling out tools for app developers that will allow them to determine which people using their app might be impacted by this bug," Bar writes. "We will be working with those developers to delete the photos from impacted users. We will also notify the people potentially impacted by this bug via an alert on Facebook."

Facebook is notifying anyone who may have been impacted by its private photo-exposing bug via an alert. "The notification will direct them to a Help Center link where they'll be able to see if they've used any apps that were affected by the bug," Facebook says.

Facebook also recommends that all users review which third-party apps they allow to access their photos and cancel access for any apps that should not have it.

Definition: Private Photos

What does Facebook mean by private photos? Facebook says any app to which a user grants photo access is only meant to see the user's timeline photos. But this API bug potentially also gave developers access to photos users shared on Marketplace, via Facebook Stories, or to photos they had uploaded but either chosen to not post, or not yet posted.

Facebook says it stores any photo that a user uploads but doesn't post for three days - in case they choose to finish their post - before deleting it.

Single Sign-On Downsides

The private photo exposure again involves anyone who used Facebook Login, which is Facebook's single sign-on system, also known as Facebook Social Login. It allows users to access compatible third-party website services or mobile apps without having to log in again.

But some information security experts have warned that security-conscious users should avoid social networks' SSO systems at all costs.

About the Author

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing careersinfosecurity.eu, you agree to our use of cookies.